Airlock Blog

Audit and Enforcement Modes in Airlock’s Allowlisting Solution

Written by Iain Ferguson | 18 June 2024

Airlock Allowlisting Solution 

Audit and Enforcement Modes

 

The value of Airlock’s Allowlisting Solution (Airlock) to organizations lies in significantly reducing the risk of infection by malware and ransomware on their endpoints-without impacting productivity.But how can organizations understand what files and applications are running in their environments so they can create trust-based allowlists that meet their requirements? And how can they then implement those allowlists?

To address these challenges, we have established audit and enforcement modes within Airlock. In line with our approach of building by security practitioners for security practitioners, we have made each mode and process between them as efficient, functional and intuitive as possible.

Audit Mode

Audit mode enables organisations to build the policies that ensure legitimate files and applications continue to run within their environments. During this discovery phase, customer-side administrators monitor file executions across endpoint devices such as desktops, laptops and servers. From this activity, a list of trusted applications and files is automatically sent back to Airlock’s central console. Administrators then work through the data observed by the Airlock enforcement agent, which informs the next stage of tuning policy.

Easily Reducing Untrusted Executions and Tuning Policy

With Airlock, administrators can work through untrusted file executions in bulk and reduce the volume of file data quickly. File data is captured continuously for use across the solution and administrators can drill into and filter unique files by hash, publisher, parent process and other attributes. Airlock’s ‘bulk add’ process aggregates file data and creates a summary based on reputation (with files categorized as known, unknown, suspicious or malicious-the latter not selected by default to protect the environment) established through Airlock’s partnership with VirusTotal.  

This process enables administrators to define the files they trust, within a relevant policy group. An administrator then chooses the relevant policy tree and Airlock updates, regenerates and delivers the policy to the organisation’s endpoints. This update process occurs automatically after each policy change is performed by an administrator. The end user may then run trusted files without interruption.

Running this process a number of times enables an administrator to reduce the volume of untrusted executions from tens of thousands to tens quickly and easily. In particular, applying trust selection to files signed by reputable publishers such as Microsoft and Google brings the number down sharply. Our customers typically take about three weeks to tune policy, regardless of scale. 

The process takes about the same length of time whether a customer has 10, 100 or 100,000 computers because in most enterprise environments, computers share about 80% of file data between them. Once this process is completed, administrators typically spend less than 20 minutes in the product each day to perform the required tasks.  

Enforcement Mode 

At this point the organisation is ready to move into enforcement mode. This mode, in which administrators enforce policy-sets and proactively prevents non-allowlisted applications and files from running in their environment, is where Airlock delivers a powerful security outcome.  In enforcement mode, the organisation minimises the risk to its operations, people and customers that malicious code and other unauthorised software executions would otherwise present.

In addition, because organisations customise each allowlisting deployment to their specific needs, malicious actors’ ability to test attacks before launching them is severely limited. And critically, organisations can elevate their security capabilities to align with Australian Signals Directorate Essential Eight, the United States’ National Institute of Standards and Technology (NIST) SP 800-171r3 and Technology Cybersecurity Framework and the Communications Security Establishment Canada Top 10 IT Security Actions. 

 

In our next blog, we’ll explore the role of one time pads in enabling streamlined exception management in Airlock.

Airlock Digital is here to help! Book a demo with any of our team members by clicking the button below.